1. Technical Field
The present invention relates in general to information exchange and in particular to smart cards. Still more particularly, the present invention relates to a system, method and computer program product for performing private information exchange in smart card commerce.
2. Description of the Related Art
A smart card, chip card, or integrated circuit(s) card (ICC), is defined as any pocket-sized card with embedded integrated circuits. Although there is a diverse range of applications, there are two broad categories of ICCs. Memory cards contain only non-volatile memory storage components, and perhaps some specific security logic. Microprocessor cards contain memory and microprocessor components. Not all chip cards contain a microprocessor (e.g., the memory cards), therefore not all chip cards are necessarily also smart cards. However the public usage of the terminology is often inconsistent. The first mass use of the cards was for payment in French pay phones, starting in 1983 (Télécarte). In 1978, Honeywell Bull patented the SPOM (Self Programmable One-chip Microcomputer) that defines the necessary architecture to auto-program the chip. Three years later, the very first “CP8” based on this patent was produced on by Motorola.
The second use of smartcards was with the integration of a microchips into all French debit cards (Carte Bleue) completed in 1992. When paying in France with a Carte Bleue, one inserts the card into the merchant's terminal, then types the PIN, before the transaction is accepted. Only very limited transactions (such as paying small autoroute tolls) are accepted without PIN. Smart-card-based electronic purse systems (in which value is stored on the card chip, not in an externally recorded account) were tried throughout Europe from the mid-1990s, most notably in Germany (Geldkarte), Belgium (Proton), the Netherlands (Chipknip and Chipper), Switzerland (“Cash”), Sweden (“Cash”), UK (“Mondex”) and Denmark (“Danmønt”). None of these programs attracted any notable public interest, and usage levels remained low to negligible. The major boom in smart card use came in the 1990s, with the introduction of the smart-card-based SIM used in GSM mobile phone equipment in Europe. They are becoming quite common now. For the banks interested in introducing smart cards the only quantifiable benefit is the ability to forecast a significant reduction in fraud, in particular counterfeit, lost and stolen. The current level of fraud a country is experiencing determines if there is a business case for the financial institutions.
Smart cards with contactless interfaces are becoming increasingly popular for payment and ticketing applications such as for mass transit. Visa and MasterCard have agreed to an easy-to-implement version currently being deployed (2004-2006) in the USA. Across the globe, contactless fare collection systems are being implemented to drive efficiencies in public transit. The various standards emerging are local in focus and are not compatible. Smart cards are also being introduced in personal identification and entitlement schemes at regional, national, and international levels. Citizen cards, drivers' licenses, and patient card schemes are becoming more prevalent, and contactless smart cards are being integrated into passports to enhance security for international travel. The applications of smart cards include their use as credit or ATM cards, SIMs for mobile phones, authorization cards for pay television, high-security identification and access-control cards, and public transport payment cards.
Smart cards may also be used as electronic wallets. The smart card chip can be loaded with funds which can be spent in parking meters and vending machines or at various merchants. Cryptographic protocols protect the exchange of money between the smart card and the accepting machine. Examples are Proton, GeldKarte, Moneo and Quick. A quickly growing application is in digital identification cards. In this application, the cards are used for authentication of identity. The most common example is in conjunction with a Public Key Infrastructure (PKI). The smart card will store an encrypted digital certificate issued from the PKI along with any other relevant or needed information about the card holder. Examples include the U.S. Department of Defense (DoD) Common Access Card (CAC), and the use of various smart cards by many governments as identification cards for their citizens. When combined with biometrics, smart cards can provide two- or three-factor authentication. Smart cards are a privacy-enhancing technology, and when used in conjunction with appropriate security and privacy policies, can be part of a highly effective authentication system.
Smart cards have been advertised as suitable for these tasks, because they are engineered to be tamper-resistant. The embedded chip of a smart card usually implements some cryptographic algorithm.
Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key. This is done by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically. The term asymmetric key cryptography is a synonym for public key cryptography in most cases. However, there are asymmetric key encryption algorithms which do not have the public key-private key property noted above. For these algorithms, both keys must be kept secret. In public key cryptography, the private key is generally kept secret, while the public key may be widely distributed. In a sense, one key “locks” a lock; while the other is required to unlock it. It should not be possible to deduce the private key of a pair given the public key.
For most of the history of cryptography, a key had to be kept absolutely secret and would be agreed upon beforehand using a secure, but non-cryptographic, method; for example, a face-to-face meeting or a trusted courier. There are a number of significant practical difficulties in this approach to distributing keys. Public key cryptography was invented to address these drawbacks—with public key cryptography, users can communicate securely over an insecure channel without having to agree upon a shared key beforehand.
Since the 1970s, a large number and variety of encryption, digital signature, key agreement, and other techniques have been developed in the field of public key cryptography. The ElGamal cryptosystem (invented by Taher ElGamal then of Netscape) relies on the (similar, and related) difficulty of the discrete logarithm problem, as does the closely related DSA developed by the NSA and NIST. The introduction of elliptic curve cryptography by Neal Koblitz in the mid '80s has yielded a new family of analogous public key algorithms. Although mathematically more complex, elliptic curves appear to provide a more efficient way to leverage the discrete logarithm problem, particularly with respect to key size.
The most obvious application of a public key encryption system is confidentiality; a message which a sender encrypts using the recipient's public key can only be decrypted by the recipient's paired private key. Public-key digital signature algorithms can be used for sender authentication. For instance, a user can encrypt a message with his own private key and send it. If another user can successfully decrypt it using the corresponding public key, this provides assurance that the first user (and no other) sent it. These characteristics are useful for many other, sometimes surprising, applications, like digital cash, smartcards, password-authenticated key agreement, multi-party key agreement, etc.
Stores are in the business of tracking the buying patterns of their customers. Understanding regional, seasonal and demographic buying patterns is the key to launching successful marketing campaigns and stocking inventory. Because of the importance of being able to track buying patterns by an individual (as distinguished from buying patterns for large groups of people) just about every reasonably sized store offers a “store card”. The store card usually carries with it some set of benefits to the consumer, in the form of accumulated points which result in discounts, or direct discounts on every sale. From the vendor perspective, the store card represents a method of tracking each store purchase by an individual consumer, even if the transaction is completed with cash. The incentives offered by the use of the store card increase the likelihood that the consumer will carry and use his or her store card.
The end consumer is, unfortunately, inconvenienced by the proliferation of store cards—he must apply for and carry store cards for all stores that he frequents if he wants to reap the benefits. Much of the information that each store requires is redundant with what other stores require (e.g., Name, Address, Phone Number, etc.), while there may be some unique information (e.g., Mother's Maiden Name, Social Security Number) that the consumer may want to share with just a subset of the authorized stores. Because of the inconvenience of carrying and applying for store cards that the consumer may not frequent often, the consumer may not apply for some fringe store cards and therefore not reap the benefits. Vendors, on the other hand, are motivated to simplify the store card process, which would result in more consumers applying for and using their store cards, which in turn would result in more accurate information on consumer trends.